Two guest-triggerable crashes in the ati-vga HOST_DATA blit path, independently found via fuzzing (generic-fuzz with ASan/UBSan).
Patch 1 fixes the heap-buffer-overflow: when ati_host_data_flush() returns early, host_data.next was not reset, causing subsequent HOST_DATA writes to index past acc[3]. The fix moves the reset into the write handler as suggested by Chad Jablonski in the v1 discussion. Patch 2 fixes division-by-zero (SIGFPE) and g_assert_not_reached() when ati_bpp_from_datatype() returns 0 for invalid dp_datatype values. Based on Feifan Qian's v1 report and the subsequent design discussion between BALATON Zoltan and Chad Jablonski. v1: https://lore.kernel.org/qemu-devel/Czyl6yVfL6sHl_o1kRk8N_LpwXMMRVhO9vgz1qCVJFagn9D4nHSKuiux39iOLty0Q3acxQq_FeovPhTQvSKus2htwjI9lTajLZmqovr0Wxs=@proton.me/ Junjie Cao (2): hw/display/ati: reset host_data.next in write handler after flush hw/display/ati: guard against zero bpp in ati_host_data_flush hw/display/ati.c | 2 ++ hw/display/ati_2d.c | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) -- 2.43.0
